[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How-to secure PosixAccount attr ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FM wrote:
| Thank you,
|
| I already have this in my slapd.conf :
|
| saslRegexp
| uid=(.*),cn=REALM,cn=gssapi,cn=auth
| uid=$1,ou=People,dc=domain,dc=com
|
| but the main prob is when you do a whoami on id user, the ldap server
| log showed a anonymous bind (BIND="") ans after several tests, I saw
| that it's the BIND from the /etc/ldap.conf. Is there a way that it send
| my BIND instead the one in the ldap.conf
I see, this is OT as it is an nss_ldap issue but you can try to set
the following in you /etc/ldap.conf:
use_sasl on
pam_sasl_mech GSSAPI
#sasl_auth_id nssldap/my.domain
#krb5_ccname FILE:/tmp/krb5cc_nssldap
Note the two commented statements, it looks like it is possible to use a
proxy ID (sasl_auth_id) for all binds but if you need the ID of the
person trying to access your directory it's probably not very useful
here. I made a few tests with the above settings and it worked pretty
well. One thing however, you need a valid ticket before binding,
otherwise you will have the "I have no name!" prompt...but i digress ;)
hth
~ Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBuejSZMF3PJg2BX4RAgZUAKDjFMbaQSyElQzLyemwpTzzfPi1MwCdHtkL
3O7vXAXwcTYj7DaG5uKZjCE=
=N2I5
-----END PGP SIGNATURE-----